integration: save hierarchy across runs (letsencrypt#5729)

jsha · web-flow · commit ba0ea090b29a · 2021-10-20T17:06:33.000-07:00
This allows repeated runs using the same hiearchy, and avoids spurious errors from ocsp-updater saying "This CA doesn't have an issuer cert with ID XXX" Fixes letsencrypt#5721
diff --git a/.gitignore b/.gitignore
@@ -37,3 +37,5 @@ tags
 .idea
 
 .vscode/*
+.hierarchy/
+.softhsm-tokens/
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -9,6 +9,8 @@ services:
     volumes:
       - .:/go/src/github.com/letsencrypt/boulder:cached
       - ./.gocache:/root/.cache/go-build:cached
+      - ./.hierarchy:/hierarchy/:cached
+      - ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
     networks:
       bluenet:
         ipv4_address: 10.77.77.77
diff --git a/test/cert-ceremonies/generate.go b/test/cert-ceremonies/generate.go
@@ -76,7 +76,7 @@ func genCert(path string) error {
 func main() {
 	// If one of the output files already exists, assume this ran once
 	// already for the container and don't re-run.
-	outputFile := "/tmp/root-signing-pub-rsa.pem"
+	outputFile := "/hierarchy/root-signing-pub-rsa.pem"
 	if loc, err := os.Stat(outputFile); err == nil && loc.Mode().IsRegular() {
 		fmt.Println("skipping certificate generation: already exists")
 		return
@@ -113,13 +113,13 @@ func main() {
 	// signing key slots and IDs
 	rsaTmpIntermediateA, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-rsa.yaml", map[string]string{
 		"SlotID":     rsaRootKeySlot,
-		"CertPath":   "/tmp/intermediate-cert-rsa-a.pem",
+		"CertPath":   "/hierarchy/intermediate-cert-rsa-a.pem",
 		"CommonName": "CA intermediate (RSA) A",
 	})
 	cmd.FailOnError(err, "failed to rewrite RSA intermediate cert config with key ID")
 	ecdsaTmpIntermediateA, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml", map[string]string{
 		"SlotID":     ecdsaRootKeySlot,
-		"CertPath":   "/tmp/intermediate-cert-ecdsa-a.pem",
+		"CertPath":   "/hierarchy/intermediate-cert-ecdsa-a.pem",
 		"CommonName": "CA intermediate (ECDSA) A",
 	})
 	cmd.FailOnError(err, "failed to rewrite ECDSA intermediate cert config with key ID")
@@ -134,13 +134,13 @@ func main() {
 	// signing key slots and IDs
 	rsaTmpIntermediateB, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-rsa.yaml", map[string]string{
 		"SlotID":     rsaRootKeySlot,
-		"CertPath":   "/tmp/intermediate-cert-rsa-b.pem",
+		"CertPath":   "/hierarchy/intermediate-cert-rsa-b.pem",
 		"CommonName": "CA intermediate (RSA) B",
 	})
 	cmd.FailOnError(err, "failed to rewrite RSA intermediate cert config with key ID")
 	ecdsaTmpIntermediateB, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml", map[string]string{
 		"SlotID":     ecdsaRootKeySlot,
-		"CertPath":   "/tmp/intermediate-cert-ecdsa-b.pem",
+		"CertPath":   "/hierarchy/intermediate-cert-ecdsa-b.pem",
 		"CommonName": "CA intermediate (ECDSA) B",
 	})
 	cmd.FailOnError(err, "failed to rewrite ECDSA intermediate cert config with key ID")
diff --git a/test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml b/test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml
@@ -5,8 +5,8 @@ pkcs11:
     signing-key-slot: {{ .SlotID}}
     signing-key-label: root signing key (ecdsa)
 inputs:
-    public-key-path: /tmp/intermediate-signing-pub-ecdsa.pem
-    issuer-certificate-path: /tmp/root-cert-ecdsa.pem
+    public-key-path: /hierarchy/intermediate-signing-pub-ecdsa.pem
+    issuer-certificate-path: /hierarchy/root-cert-ecdsa.pem
 outputs:
     certificate-path: {{ .CertPath }}
 certificate-profile:
diff --git a/test/cert-ceremonies/intermediate-ceremony-rsa.yaml b/test/cert-ceremonies/intermediate-ceremony-rsa.yaml
@@ -5,8 +5,8 @@ pkcs11:
     signing-key-slot: {{ .SlotID}}
     signing-key-label: root signing key (rsa)
 inputs:
-    public-key-path: /tmp/intermediate-signing-pub-rsa.pem
-    issuer-certificate-path: /tmp/root-cert-rsa.pem
+    public-key-path: /hierarchy/intermediate-signing-pub-rsa.pem
+    issuer-certificate-path: /hierarchy/root-cert-rsa.pem
 outputs:
     certificate-path: {{ .CertPath }}
 certificate-profile:
diff --git a/test/cert-ceremonies/intermediate-key-ceremony-ecdsa.yaml b/test/cert-ceremonies/intermediate-key-ceremony-ecdsa.yaml
@@ -8,4 +8,4 @@ key:
     type: ecdsa
     ecdsa-curve: P-384
 outputs:
-    public-key-path: /tmp/intermediate-signing-pub-ecdsa.pem
+    public-key-path: /hierarchy/intermediate-signing-pub-ecdsa.pem
diff --git a/test/cert-ceremonies/intermediate-key-ceremony-rsa.yaml b/test/cert-ceremonies/intermediate-key-ceremony-rsa.yaml
@@ -8,4 +8,4 @@ key:
     type: rsa
     rsa-mod-length: 2048
 outputs:
-    public-key-path: /tmp/intermediate-signing-pub-rsa.pem
+    public-key-path: /hierarchy/intermediate-signing-pub-rsa.pem
diff --git a/test/cert-ceremonies/intermediate-ocsp-rsa.yaml b/test/cert-ceremonies/intermediate-ocsp-rsa.yaml
@@ -5,10 +5,10 @@ pkcs11:
     signing-key-slot: {{ .SlotID}}
     signing-key-label: root signing key (rsa)
 inputs:
-    certificate-path: /tmp/intermediate-cert-rsa-a.pem
-    issuer-certificate-path: /tmp/root-cert-rsa.pem
+    certificate-path: /hierarchy/intermediate-cert-rsa-a.pem
+    issuer-certificate-path: /hierarchy/root-cert-rsa.pem
 outputs:
-    response-path: /tmp/intermediate-ocsp-rsa.b64
+    response-path: /hierarchy/intermediate-ocsp-rsa.b64
 ocsp-profile:
     this-update: 2020-01-01 12:00:00
     next-update: 2039-01-01 12:00:00
diff --git a/test/cert-ceremonies/root-ceremony-ecdsa.yaml b/test/cert-ceremonies/root-ceremony-ecdsa.yaml
@@ -8,8 +8,8 @@ key:
     type: ecdsa
     ecdsa-curve: P-384
 outputs:
-    public-key-path: /tmp/root-signing-pub-ecdsa.pem
-    certificate-path: /tmp/root-cert-ecdsa.pem
+    public-key-path: /hierarchy/root-signing-pub-ecdsa.pem
+    certificate-path: /hierarchy/root-cert-ecdsa.pem
 certificate-profile:
     signature-algorithm: ECDSAWithSHA384
     common-name: CA root (ECDSA)
diff --git a/test/cert-ceremonies/root-ceremony-rsa.yaml b/test/cert-ceremonies/root-ceremony-rsa.yaml
@@ -8,8 +8,8 @@ key:
     type: rsa
     rsa-mod-length: 4096
 outputs:
-    public-key-path: /tmp/root-signing-pub-rsa.pem
-    certificate-path: /tmp/root-cert-rsa.pem
+    public-key-path: /hierarchy/root-signing-pub-rsa.pem
+    certificate-path: /hierarchy/root-cert-rsa.pem
 certificate-profile:
     signature-algorithm: SHA256WithRSA
     common-name: CA root (RSA)
diff --git a/test/config-next/ca-a.json b/test/config-next/ca-a.json
@@ -60,7 +60,7 @@
           "crlURL": "http://example.com/crl",
           "location": {
             "configFile": "test/test-ca.key-pkcs11.json",
-            "certFile": "/tmp/intermediate-cert-rsa-a.pem",
+            "certFile": "/hierarchy/intermediate-cert-rsa-a.pem",
             "numSessions": 2
           }
         },
@@ -72,7 +72,7 @@
           "crlURL": "http://example.com/crl",
           "location": {
             "configFile": "test/test-ca.key-pkcs11.json",
-            "certFile": "/tmp/intermediate-cert-rsa-b.pem",
+            "certFile": "/hierarchy/intermediate-cert-rsa-b.pem",
             "numSessions": 2
           }
         }
diff --git a/test/config-next/ca-b.json b/test/config-next/ca-b.json
@@ -60,7 +60,7 @@
           "crlURL": "http://example.com/crl",
           "location": {
             "configFile": "test/test-ca.key-pkcs11.json",
-            "certFile": "/tmp/intermediate-cert-rsa-a.pem",
+            "certFile": "/hierarchy/intermediate-cert-rsa-a.pem",
             "numSessions": 2
           }
         },
@@ -72,7 +72,7 @@
           "crlURL": "http://example.com/crl",
           "location": {
             "configFile": "test/test-ca.key-pkcs11.json",
-            "certFile": "/tmp/intermediate-cert-rsa-b.pem",
+            "certFile": "/hierarchy/intermediate-cert-rsa-b.pem",
             "numSessions": 2
           }
         }
diff --git a/test/config-next/ocsp-responder.json b/test/config-next/ocsp-responder.json
@@ -7,9 +7,9 @@
     "path": "/",
     "listenAddress": "0.0.0.0:4002",
     "issuerCerts": [
-      "/tmp/intermediate-cert-rsa-a.pem",
-      "/tmp/intermediate-cert-rsa-b.pem",
-      "/tmp/intermediate-cert-ecdsa-a.pem"
+      "/hierarchy/intermediate-cert-rsa-a.pem",
+      "/hierarchy/intermediate-cert-rsa-b.pem",
+      "/hierarchy/intermediate-cert-ecdsa-a.pem"
     ],
     "maxAge": "10s",
     "timeout": "4.9s",
diff --git a/test/config-next/orphan-finder.json b/test/config-next/orphan-finder.json
@@ -1,9 +1,9 @@
 {
   "backdate": "1h",
   "issuerCerts": [
-    "/tmp/intermediate-cert-rsa-a.pem",
-    "/tmp/intermediate-cert-rsa-b.pem",
-    "/tmp/intermediate-cert-ecdsa-a.pem"
+    "/hierarchy/intermediate-cert-rsa-a.pem",
+    "/hierarchy/intermediate-cert-rsa-b.pem",
+    "/hierarchy/intermediate-cert-ecdsa-a.pem"
   ],
 
   "syslog": {
diff --git a/test/config-next/publisher.json b/test/config-next/publisher.json
@@ -4,20 +4,20 @@
     "blockProfileRate": 1000000000,
     "chains": [
       [
-        "/tmp/intermediate-cert-rsa-a.pem",
-        "/tmp/root-cert-rsa.pem"
+        "/hierarchy/intermediate-cert-rsa-a.pem",
+        "/hierarchy/root-cert-rsa.pem"
       ],
       [
-        "/tmp/intermediate-cert-rsa-b.pem",
-        "/tmp/root-cert-rsa.pem"
+        "/hierarchy/intermediate-cert-rsa-b.pem",
+        "/hierarchy/root-cert-rsa.pem"
       ],
       [
-        "/tmp/intermediate-cert-ecdsa-a.pem",
-        "/tmp/root-cert-ecdsa.pem"
+        "/hierarchy/intermediate-cert-ecdsa-a.pem",
+        "/hierarchy/root-cert-ecdsa.pem"
       ],
       [
-        "/tmp/intermediate-cert-ecdsa-b.pem",
-        "/tmp/root-cert-ecdsa.pem"
+        "/hierarchy/intermediate-cert-ecdsa-b.pem",
+        "/hierarchy/root-cert-ecdsa.pem"
       ]
     ],
     "debugAddr": ":8009",
diff --git a/test/config-next/ra.json b/test/config-next/ra.json
@@ -12,9 +12,9 @@
     "blockedKeyFile": "test/example-blocked-keys.yaml",
     "orderLifetime": "168h",
     "issuerCerts": [
-      "/tmp/intermediate-cert-rsa-a.pem",
-      "/tmp/intermediate-cert-rsa-b.pem",
-      "/tmp/intermediate-cert-ecdsa-a.pem"
+      "/hierarchy/intermediate-cert-rsa-a.pem",
+      "/hierarchy/intermediate-cert-rsa-b.pem",
+      "/hierarchy/intermediate-cert-ecdsa-a.pem"
     ],
     "tls": {
       "caCertFile": "test/grpc-creds/minica.pem",
diff --git a/test/config-next/wfe.json b/test/config-next/wfe.json
@@ -52,6 +52,6 @@
   },
 
   "common": {
-    "issuerCert": "/tmp/intermediate-cert-rsa-a.pem"
+    "issuerCert": "/hierarchy/intermediate-cert-rsa-a.pem"
   }
 }
diff --git a/test/config-next/wfe2.json b/test/config-next/wfe2.json
@@ -41,20 +41,20 @@
     },
     "chains": [
       [
-        "/tmp/intermediate-cert-rsa-a.pem",
-        "/tmp/root-cert-rsa.pem"
+        "/hierarchy/intermediate-cert-rsa-a.pem",
+        "/hierarchy/root-cert-rsa.pem"
       ],
       [
-        "/tmp/intermediate-cert-rsa-b.pem",
-        "/tmp/root-cert-rsa.pem"
+        "/hierarchy/intermediate-cert-rsa-b.pem",
+        "/hierarchy/root-cert-rsa.pem"
       ],
       [
-        "/tmp/intermediate-cert-ecdsa-a.pem",
-        "/tmp/root-cert-ecdsa.pem"
+        "/hierarchy/intermediate-cert-ecdsa-a.pem",
+        "/hierarchy/root-cert-ecdsa.pem"
       ],
       [
-        "/tmp/intermediate-cert-ecdsa-b.pem",
-        "/tmp/root-cert-ecdsa.pem"
+        "/hierarchy/intermediate-cert-ecdsa-b.pem",
+        "/hierarchy/root-cert-ecdsa.pem"
       ]
     ],
     "staleTimeout": "5m",
diff --git a/test/config/ca-a.json b/test/config/ca-a.json
@@ -60,7 +60,7 @@
           "crlURL": "http://example.com/crl",
           "location": {
             "configFile": "test/test-ca.key-pkcs11.json",
-            "certFile": "/tmp/intermediate-cert-rsa-a.pem",
+            "certFile": "/hierarchy/intermediate-cert-rsa-a.pem",
             "numSessions": 2
           }
         },
@@ -72,7 +72,7 @@
           "crlURL": "http://example.com/crl",
           "location": {
             "configFile": "test/test-ca.key-pkcs11.json",
-            "certFile": "/tmp/intermediate-cert-rsa-b.pem",
+            "certFile": "/hierarchy/intermediate-cert-rsa-b.pem",
             "numSessions": 2
           }
         }
diff --git a/test/config/ca-b.json b/test/config/ca-b.json
@@ -60,7 +60,7 @@
           "crlURL": "http://example.com/crl",
           "location": {
             "configFile": "test/test-ca.key-pkcs11.json",
-            "certFile": "/tmp/intermediate-cert-rsa-a.pem",
+            "certFile": "/hierarchy/intermediate-cert-rsa-a.pem",
             "numSessions": 2
           }
         },
@@ -72,7 +72,7 @@
           "crlURL": "http://example.com/crl",
           "location": {
             "configFile": "test/test-ca.key-pkcs11.json",
-            "certFile": "/tmp/intermediate-cert-rsa-b.pem",
+            "certFile": "/hierarchy/intermediate-cert-rsa-b.pem",
             "numSessions": 2
           }
         }
diff --git a/test/config/ocsp-responder.json b/test/config/ocsp-responder.json
@@ -7,9 +7,9 @@
     "path": "/",
     "listenAddress": "0.0.0.0:4002",
     "issuerCerts": [
-      "/tmp/intermediate-cert-rsa-a.pem",
-      "/tmp/intermediate-cert-rsa-b.pem",
-      "/tmp/intermediate-cert-ecdsa-a.pem"
+      "/hierarchy/intermediate-cert-rsa-a.pem",
+      "/hierarchy/intermediate-cert-rsa-b.pem",
+      "/hierarchy/intermediate-cert-ecdsa-a.pem"
     ],
     "maxAge": "10s",
     "timeout": "4.9s",
diff --git a/test/config/orphan-finder.json b/test/config/orphan-finder.json
@@ -1,9 +1,9 @@
 {
   "backdate": "1h",
   "issuerCerts": [
-    "/tmp/intermediate-cert-rsa-a.pem",
-    "/tmp/intermediate-cert-rsa-b.pem",
-    "/tmp/intermediate-cert-ecdsa-a.pem"
+    "/hierarchy/intermediate-cert-rsa-a.pem",
+    "/hierarchy/intermediate-cert-rsa-b.pem",
+    "/hierarchy/intermediate-cert-ecdsa-a.pem"
   ],
 
 
diff --git a/test/config/publisher.json b/test/config/publisher.json
@@ -4,20 +4,20 @@
     "blockProfileRate": 1000000000,
     "chains": [
       [
-        "/tmp/intermediate-cert-rsa-a.pem",
-        "/tmp/root-cert-rsa.pem"
+        "/hierarchy/intermediate-cert-rsa-a.pem",
+        "/hierarchy/root-cert-rsa.pem"
       ],
       [
-        "/tmp/intermediate-cert-rsa-b.pem",
-        "/tmp/root-cert-rsa.pem"
+        "/hierarchy/intermediate-cert-rsa-b.pem",
+        "/hierarchy/root-cert-rsa.pem"
       ],
       [
-        "/tmp/intermediate-cert-ecdsa-a.pem",
-        "/tmp/root-cert-ecdsa.pem"
+        "/hierarchy/intermediate-cert-ecdsa-a.pem",
+        "/hierarchy/root-cert-ecdsa.pem"
       ],
       [
-        "/tmp/intermediate-cert-ecdsa-b.pem",
-        "/tmp/root-cert-ecdsa.pem"
+        "/hierarchy/intermediate-cert-ecdsa-b.pem",
+        "/hierarchy/root-cert-ecdsa.pem"
       ]
     ],
     "debugAddr": ":8009",
diff --git a/test/config/ra.json b/test/config/ra.json
@@ -11,7 +11,7 @@
     "weakKeyFile": "test/example-weak-keys.json",
     "blockedKeyFile": "test/example-blocked-keys.yaml",
     "orderLifetime": "168h",
-    "issuerCertPath":  "/tmp/intermediate-cert-rsa-a.pem",
+    "issuerCertPath":  "/hierarchy/intermediate-cert-rsa-a.pem",
     "tls": {
       "caCertFile": "test/grpc-creds/minica.pem",
       "certFile": "test/grpc-creds/ra.boulder/cert.pem",
diff --git a/test/config/wfe.json b/test/config/wfe.json
@@ -53,6 +53,6 @@
   },
 
   "common": {
-    "issuerCert": "/tmp/intermediate-cert-rsa-a.pem"
+    "issuerCert": "/hierarchy/intermediate-cert-rsa-a.pem"
   }
 }
diff --git a/test/config/wfe2.json b/test/config/wfe2.json
@@ -40,12 +40,12 @@
       }
     },
     "certificateChains": {
-      "http://boulder:4430/acme/issuer-cert": [ "/tmp/intermediate-cert-rsa-a.pem" ],
-      "http://127.0.0.1:4000/acme/issuer-cert": [ "/tmp/intermediate-cert-rsa-a.pem" ]
+      "http://boulder:4430/acme/issuer-cert": [ "/hierarchy/intermediate-cert-rsa-a.pem" ],
+      "http://127.0.0.1:4000/acme/issuer-cert": [ "/hierarchy/intermediate-cert-rsa-a.pem" ]
     },
     "alternateCertificateChains": {
-      "http://boulder:4430/acme/issuer-cert": [ "/tmp/intermediate-cert-rsa-a.pem" ],
-      "http://127.0.0.1:4000/acme/issuer-cert": [ "/tmp/intermediate-cert-rsa-a.pem" ]
+      "http://boulder:4430/acme/issuer-cert": [ "/hierarchy/intermediate-cert-rsa-a.pem" ],
+      "http://127.0.0.1:4000/acme/issuer-cert": [ "/hierarchy/intermediate-cert-rsa-a.pem" ]
     },
     "staleTimeout": "5m",
     "authorizationLifetimeDays": 30,
diff --git a/test/helpers.py b/test/helpers.py
diff --git a/test/integration-test.py b/test/integration-test.py
diff --git a/test/integration/orphan_finder_test.go b/test/integration/orphan_finder_test.go
diff --git a/test/issuer-ocsp-responder.json b/test/issuer-ocsp-responder.json
diff --git a/test/v1_integration.py b/test/v1_integration.py
diff --git a/test/v2_integration.py b/test/v2_integration.py
